Install google-authenticator package
sudo apt-get install libpam-google-authenticator
Configure google-authenticator
Run google-authenticator as the user you want to be 2FA's authenticated and answer a few questions.
Shall this tool update your configuration file ? Answer yes to this first question.
For max security :
- Restrict the use of a token by waiting between login
- Token Time Window : 30 sec.
- Attempts numbers : 3
The last one helps to prevent brute-force login attacks.
Scan the QRCode (or enter key code) with your favorite smartphone.
Make your SSH config
Open /etc/ssh/sshd_config and make sure to have this gobal configuration settings :
UsePAM yes
ChallengeResponseAuthentication yes
While you can use the following parameters gobally, I personnaly prefer having a per-user config :
Match User fred
AuthenticationMethods publickey,password-interactive
Make your PAM config
Open /etc/pam.d/sshd with your favorite editor :
sudo vim /etc/pam.d/sshd
Add before "@include common-auth" section the following line
auth required pam_google_authenticator.so
Restart your SSH server.
Test
For your own safety, keep your current SSH session opened and from another window open a new SSH session to test your new 2FA authentication.
Alternative
If you want to get rid of your password prompt and just rely on your SSH key + your OTP then adjust your SSH pam config like this :
# Standard Un*x authentication.
#@include common-auth
auth [success=1 default=ignore] pam_google_authenticator.so
auth requisite pam_deny.so
auth required pam_permit.so
Comment the default common-auth entry which is the section which actually prompt for a password and report the two new 'auth' lines.